Date: Fri, 16 Sep 2011 09:28:08 -0400 From: Kevin Wilcox <kevin.wilcox@gmail.com> To: Free BSD Questions list <freebsd-questions@freebsd.org> Subject: PF and dup-to? Message-ID: <CAFpgnrP7fqOdavUgZrsTjveV23i3yfLLpaw8kdbXqmAg_7kVUw@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi folks, I have the following pf.conf on FreeBSD 8.1-RELEASE *and* 8.2-RELEASE =============================== set block-policy return set skip on lo int_if=bge1 ext_if=bge0 dup_if=dc0 # NAT rule nat on $ext_if from $int_if:network to any -> ($ext_if) sticky-address # # Windows RDP redirection... # # we have to stick a pass rule inside the rdr rule. # I think it's nasty but it works. # rdr pass on $ext_if proto tcp from any to $ext_if port rdp -> 10.201.201.101 # same for the Apache test instance rdr pass on $ext_if proto tcp from any to $ext_if port http -> 10.201.201.102 # And to proxy web traffic from the inside # disabled temporarily # rdr pass on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128 # block everything block in all block out all pass out quick on dc0 # allow everything from the NAT and any outbound connections from the FW pass in on $int_if from any to any keep state pass out on $ext_if from any to any keep state # # SSH # # allow inbound on the external interface pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state # # Windows Remote Desktop # pass out on $int_if proto tcp from any to 10.201.201.101 port rdp keep state # # Apache test instance # pass out on $int_if proto tcp from any to 10.201.201.102 port http keep state # # temp to allow any connections from the FW to come to the internal net; # note this is inclusive of the above two pass out rules pass out on $int_if from ($int_if) to 10.201.201.0/24 =============================== When I change pass in on $int_if from any to any keep state to pass in on $int_if dup-to $dup_if from any to any keep state or pass in on $int_if dup-to ($dup_if 192.168.1.2) all all traffic to the outside stops passing. In addition, I get a TON of kernel messages: arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 152.10.2.222 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llianrfpor efsoorl v1e0:. 2c0a1n.'2t0 1a.l1l o cate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 152.10.2.222 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 152.10.2.222 My understanding of dup-to is that it should allow the interface to basically act as a span port - the original traffic gets passed via normal routing rules and a copy of each packet gets sent out $dup_if and should be visible via tcpdump on the other end but a tcpdump of dc0 doesn't see the traffic ever leaving the interface. Apparently I have a fundamental misunderstanding somewhere along the way or I've been looking at this for far too long over the last few days and I'm missing something extremely basic. I'll test with another laptop with a different configuration and reply back with any success I find. Thanks! kmw
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFpgnrP7fqOdavUgZrsTjveV23i3yfLLpaw8kdbXqmAg_7kVUw>